DOM Based XSS and Adding HTML Elements

Question

So as a rule of thumb I once learned that adding or removing HTML with JavaScript/JQuery (.html(),.append(), etc) leaves yourself wide open for DOM Based XSS Attacks. It is now my understanding that this is not 100% true. Supposedly there is a correct and safe way to add/remove HTML with JavaScript. I am hoping to learn some on what this "correct way" may be.

So as an example lets say I have an input filed that allows a user to append an item to a list. In this case the input would also be added to an array to be sent in future requests. Additionally this list would have a button to remove said item from that list. In an insecure environment we might do something like the following (negating array):

var list = $("#my_list"); $("#add_btn").on("click", function(){ let input = $("#input_field").val(); list.append( '<li>'+input+' <button>Remove</button></li>' ); }); $("#my_list").on("click", "button", function(){ $(this).closest("li").remove(); }); 

How might one do the same but without the threat of XSS?

Link to JSFiddle demonstrating different suggested solutions

Answer 1

Creating the DOM as string and using append or html indeed leads to DOM-based XSS. What you should do instead is to built the DOM elements using the proper functions and only inserting user-supplied input as text. Example:

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script> <ul id=my_list class=my_list></ul> <input type=text id=input_field value="<img src=x onerror=alert(1)>"> <button id=add_btn></button> <script> var list = $("#my_list"); $("#add_btn").on("click", function(){ let input = $("#input_field").val(); // this is insecure: //list.append('<li>'+input+' <button>Remove</button></li>'); // this is secure: var listentry = document.createElement('li'); listentry.innerText = input; list.append(listentry); }); </script>